System and method for processing packets according to concurrently reconfigurable rules

US 7,570,663 B2
Filed: 07/25/2005
Issued: 08/04/2009
Est. Priority Date: 06/23/2000
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus for processing a plurality of packets, each of the plurality of packets being communicated via a network from a source to a destination intended by the source, each of the plurality of packets comprising a plurality of portions, the apparatus comprising:

a rules memory operative to store a first plurality of rules, wherein the first plurality of rules comprises a first root rule stored in a first memory location in the rules memory and further wherein each of the remaining of the first plurality of rules is hierarchically linked with the first root rule and defines at least one operation to be performed, the first root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the first plurality of rules is to be subsequently executed, the rules memory being further capable of storing a second plurality of rules, wherein the second plurality of rules comprises a second root rule stored in a second memory location in the rules memory and further wherein each of the remaining of the second plurality of rules is hierarchically linked with the second root rule and defines at least one operation to be performed, the second root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the second plurality of rules is to be subsequently executed;

a first processor coupled with the rules memory, a pointer memory location and the network, the pointer memory location operative to store a pointer address specifying the first memory location and being further capable of being changed to specify the second memory location, wherein the first processor is operative to retrieve one of the first or second root rules by accessing the pointer memory location to obtain the pointer address and retrieving the first or second root rule based thereon and further operative to execute the first or second root rule to examine at least a first portion of the plurality of portions of at least one of the plurality of packets and capture the examined packet from the network as defined by the first or second root rule;

a packet memory coupled with the first processor and operative to store the captured packet; and

a second processor coupled with the first processor, the packet memory and the rules memory, the second processor operative to select a second rule of the first or second plurality of rules from the rules memory, the selection being based on at least the first or second root rule, and execute the at least one operation of the second rule.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. A packet interceptor/processor apparatus is coupled with the network so as to be able to intercept and process packets flowing over the network. Further, the apparatus provides external connectivity to other devices that wish to intercept packets as well. The apparatus applies one or more rules to the intercepted packets which execute one or more functions on a dynamically specified portion of the packet and take one or more actions with the packets. The apparatus is capable of analyzing any portion of the packet including the header and payload. Actions include releasing the packet unmodified, deleting the packet, modifying the packet, logging/storing information about the packet or forwarding the packet to an external device for subsequent processing. Further, the rules may be dynamically modified by the external devices.

117 Citations

View as Search Results

97 Claims

1. An apparatus for processing a plurality of packets, each of the plurality of packets being communicated via a network from a source to a destination intended by the source, each of the plurality of packets comprising a plurality of portions, the apparatus comprising:
- a rules memory operative to store a first plurality of rules, wherein the first plurality of rules comprises a first root rule stored in a first memory location in the rules memory and further wherein each of the remaining of the first plurality of rules is hierarchically linked with the first root rule and defines at least one operation to be performed, the first root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the first plurality of rules is to be subsequently executed, the rules memory being further capable of storing a second plurality of rules, wherein the second plurality of rules comprises a second root rule stored in a second memory location in the rules memory and further wherein each of the remaining of the second plurality of rules is hierarchically linked with the second root rule and defines at least one operation to be performed, the second root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the second plurality of rules is to be subsequently executed;
  
  a first processor coupled with the rules memory, a pointer memory location and the network, the pointer memory location operative to store a pointer address specifying the first memory location and being further capable of being changed to specify the second memory location, wherein the first processor is operative to retrieve one of the first or second root rules by accessing the pointer memory location to obtain the pointer address and retrieving the first or second root rule based thereon and further operative to execute the first or second root rule to examine at least a first portion of the plurality of portions of at least one of the plurality of packets and capture the examined packet from the network as defined by the first or second root rule;
  
  a packet memory coupled with the first processor and operative to store the captured packet; and
  
  a second processor coupled with the first processor, the packet memory and the rules memory, the second processor operative to select a second rule of the first or second plurality of rules from the rules memory, the selection being based on at least the first or second root rule, and execute the at least one operation of the second rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 2. The apparatus of claim 1, wherein the first processor is different from the second processor.
  - 3. The apparatus of claim 1, wherein the first and second root rules are further operative to define which of the plurality of packets are to be captured for subsequent processing based on the first portion.
  - 4. The apparatus of claim 1, wherein the selection by the second processor of the second rule is further based on a second portion of the plurality of the plurality of portions of the captured packet.
  - 5. The apparatus of claim 1, wherein the at least one operation to be performed is based on a second portion of the plurality of the plurality of portions of the captured packet.
  - 6. The apparatus of claim 1, wherein each of the remaining of the first and second plurality of rules further defines a subsequent of the remaining first and second plurality of rules for subsequent execution.
  - 7. The apparatus of claim 1, wherein in the pointer memory location is capable of being changed concurrently with the execution of at least one of the first or second root rules or second rule.
  - 8. The apparatus of claim 1, wherein the remaining of the first plurality of rules comprises the remaining of the second plurality of rules.
  - 9. The apparatus of claim 1, wherein the first processor is further operative to capture the examined packet prior to receipt by the intended destination.
  - 10. The apparatus of claim 1, further comprising:
    - a state memory coupled with the second processor wherein the execution of the at least one operation of the second rule further comprises storing a result of the at least one operation of the second rule in the state memory; and
      
      wherein;
      
      the first processor is further operative to execute the first or second root rule to examine at least the first portion of each subsequent of the plurality of packets and capture the examined subsequent packet of the plurality of packets from the network as defined by the first or second root rule;
      
      the packet memory is further operative to store the captured subsequent packet; and
      
      the second processor is further operative to select a third rule of the first or second plurality of rules from the rules memory and execute the at least one operation of the third rule, the at least one operation of the third rule capable of directing the second processor to retrieve the result from the state memory for subsequent processing.
  - 11. The apparatus of claim 1, wherein at least one of the rules memory, packet memory or combinations thereof, are external to the second processor.
  - 12. The apparatus of claim 1, wherein the rules memory and packet memory are internal to the second processor.
  - 13. The apparatus of claim 1, further comprising:
    - a transmitter coupled with the second processor, the packet memory and the network and operative to transmit at least a portion of the contents of the packet memory onto the network.
  - 14. The apparatus of claim 13, wherein transmitter transmits in response to an instruction received from the second processor, the instruction being generated by the second processor based on the execution of the at least one operation.
  - 15. The apparatus of claim 13, wherein the contents of the packet memory may be modified prior to transmission.
  - 16. The apparatus of claim 13, wherein the transmitter is further operative to transmit to a destination different than the intended destination of the captured packet.
  - 17. The apparatus of claim 13, wherein the transmitter is further operative to transmit to the intended destination of the captured packet.
  - 18. The apparatus of claim 1, wherein each of the first and second plurality of rules is programmable.
  - 19. The apparatus of claim 1, wherein the second rule comprises a function, the result of the function being at least dependent upon a data value associated with the function, the data value being modifiable independent of the function.
  - 20. The apparatus of claim 19, wherein the data value is stored in a memory other than the rules memory, the memory being coupled with the second processor and accessible by the second rule.
  - 21. The apparatus of claim 1, further comprising:
    - an interface coupled with the rules memory and operative to allow access to the first plurality of rules.
  - 22. The apparatus of claim 21, wherein the interface is further operative to allow any of the first plurality of rules to be at least one of modified, replaced, deleted, supplemented or combinations thereof.
  - 23. The apparatus of claim 21, wherein the interface is further operative to allow any of the first plurality of rules to be dynamically modified.
  - 24. The apparatus of claim 1, further comprising:
    - an interface coupled with the rules memory and operative to receive and store the second plurality of rules in the rules memory at the second memory location, the interface being further coupled with the pointer memory location to allow the pointer address to be changed to specify the second memory location.
  - 25. The apparatus of claim 1, wherein the first and second processors comprise at least one of a microcoded processor, a field programmable gate array, an application specific integrated circuit or combinations thereof.
  - 26. The apparatus of claim 1, wherein the rules memory comprises at least one of a microcode storage, set of logic gates, or combinations thereof, and wherein the second rule comprises at least microcode stored in the microcode storage, a combination of at least a portion of the set of logic gates, or combinations thereof.
  - 27. The apparatus of claim 1, wherein the first processor comprises a classification processor.
  - 28. The apparatus of claim 1, wherein the rules memory comprises a content addressable memory.
  - 29. The apparatus of claim 1, wherein the at least one operation of the second rule comprises at least one of data gathering, decision, action or combinations thereof.
  - 30. The apparatus of claim 1, wherein the at least one operation of the second rule comprises at least one of modify the captured packet, delete the captured packet, release the captured packet, copy the captured packet, substitute for the captured packet, forward the captured packet, forward a copy of the captured packet, store data relating to the captured packet, compare at least a portion of the captured packet, or combinations thereof.
  - 31. The apparatus of claim 1, wherein the at least one operation of the second rule comprises at least one of evaluate a mathematical algorithm, evaluate a Boolean function, determine which of the first or second plurality of rules the second processor is to retrieve next, execute another of the first or second plurality of rules, evaluate past activity, compare data or combinations thereof.
  - 32. The apparatus of claim 1, wherein the first and second plurality of rules comprise a default rule operative to release the captured packet to the network for transmission to the intended destination.
  - 33. The apparatus of claim 1, wherein the first and second plurality of rules further comprise a plurality of rule sets, each of the plurality of rule sets comprising a portion of the plurality of rules.
  - 34. The apparatus of claim 33, wherein the portion of the first and second plurality of rules associated with each rule set comprises a root rule hierarchically linked with the remaining rules of the portion.
  - 35. The apparatus of claim 33, wherein each rule set comprises an application.
  - 36. The apparatus of claim 33, wherein at least two or more rule sets are interlinked.
  - 37. The apparatus of claim 33, wherein each rule set comprises a storage memory operative to store data at least one of generated by, used by or combinations thereof, at least one of the portion of the plurality of rules.
  - 38. The apparatus of claim 37, wherein the data comprises data representative of state.
  - 39. The apparatus of claim 37, wherein the storage memory is accessible only by the associated rule set.
  - 40. The apparatus of claim 33, wherein the second processor is further operative to execute the at least one operation of more than one rule of the first and second plurality of rules substantially simultaneously.
  - 41. The apparatus of claim 1, wherein each of the plurality of portions comprises a data layer.
  - 42. The apparatus of claim 1, wherein the intended destination comprises at least one of a physical destination, a logical destination, or combinations thereof.
  - 43. The apparatus of claim 1, wherein the execution of the at least one operation of the second rule generates a result, the second processor being further operative to retrieve a third rule of the first or second plurality of rules from the rules memory and execute the at least one operation of the third rule based on the result.
  - 44. The apparatus of claim 1, further comprising:
    - a storage memory coupled with the second processor and operative to store a result of the at least one operation of the second rule; and
      
      an interface coupled with the storage memory and operative to allow the stored result to be at least one of read, modified or combinations thereof.
  - 45. The apparatus of claim 1, wherein each of the plurality of packets is further characterized by at least one parameter not directly specified by any of the plurality of portions, the apparatus further comprising:
    - a transmitter coupled with the second processor, the packet memory and the network and operative to transmit at least a portion of the contents of the packet memory onto the network based on the at least one parameter.
  - 46. The apparatus of claim 1, wherein each of the plurality of packets is further characterized by at least one parameter not directly specified by any of the plurality of portions, and further wherein at least one of the first or second plurality of rules further defines at least one operation to be performed based on at least one of the at least one parameter.
  - 47. The apparatus of claim 46, wherein the at least one parameter comprises a time stamp.
  - 48. The apparatus of claim 46, wherein the at least one parameter is derived from the packet.

49. An method for processing a plurality of packets, each of the plurality of packets being communicated via a network from a source to a destination intended by the source, each of the plurality of packets comprising a plurality of portions, the method comprising:
- Storing a first plurality of rules in a rules memory, wherein the first plurality of rules comprises a first root rule stored in a first memory location in the rules memory and further wherein each of the remaining of the first plurality of rules is hierarchically linked with the first root rule and defines at least one operation to be performed, the first root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the first plurality of rules is to be subsequently executed, the rules memory being further capable of storing a second plurality of rules, wherein the second plurality of rules comprises a second root rule stored in a second memory location in the rules memory and further wherein each of the remaining of the second plurality of rules is hierarchically linked with the second root rule and defines at least one operation to be performed, the second root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the second plurality of rules is to be subsequently executed;
  
  storing a pointer address in a pointer memory location coupled with a first processor, the first processor being further coupled with the rules memory and the network, the pointer address specifying the first memory location and being further capable of being changed to specify the second memory location;
  
  retrieving, by the first processor, one of the first or second root rules by accessing the pointer memory location to obtain the pointer address and retrieving the first or second root rule based thereon and executing the first or second root rule to examine at least a first portion of the plurality of portions of at least one of the plurality of packets and capture the examined packet from the network as defined by the first or second root rule;
  
  storing the captured packet in a packet memory coupled with the first processor; and
  
  selecting, by a second processor coupled with the first processor, the packet memory and the rules memory, a second rule of the first or second plurality of rules from the rules memory, the selection being based on at least the first or second root rule, and executing the at least one operation of the second rule.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96)
- - 50. The method of claim 49, wherein the first processor is different from the second processor.
  - 51. The method of claim 49, wherein the first and second root rules are further operative to define which of the plurality of packets are to be captured for subsequent processing based on the first portion.
  - 52. The method of claim 49, wherein the selecting of the second rule further comprises selecting the second rule further based on a second portion of the plurality of the plurality of portions of the captured packet.
  - 53. The method of claim 49, wherein the at least one operation to be performed is based on a second portion of the plurality of the plurality of portions of the captured packet.
  - 54. The method of claim 49, wherein each of the remaining of the first and second plurality of rules further defines a subsequent of the remaining first and second plurality of rules for subsequent execution.
  - 55. The method of claim 49, wherein in the pointer memory location is capable of being changed concurrently with the execution of at least one of the first or second root rules or second rule.
  - 56. The method of claim 49, wherein the remaining of the first plurality of rules comprises the remaining of the second plurality of rules.
  - 57. The method of claim 49, wherein the first processor is further operative to capture the examined packet prior to receipt by the intended destination.
  - 58. The method of claim 49, wherein the executing of the at least one operation of the second rule further comprises storing a result of the at least one operation of the second rule in a state memory coupled with the second processor and wherein the executing by the first processor further comprises executing the first or second root rule to examine at least the first portion of each subsequent of the plurality of packets and capture the examined subsequent packet of the plurality of packets from the network as defined by the first or second root rule, the method further comprising:
    - storing the captured subsequent packet in the packet memory; and
      
      selecting, by the second processor, a third rule of the first or second plurality of rules from the rules memory and executing the at least one operation of the third rule, the at least one operation of the third rule capable of directing the second processor to retrieve the result from the state memory for subsequent processing.
  - 59. The method of claim 49, wherein at least one of the rules memory, packet memory or combinations thereof, are external to the second processor.
  - 60. The method of claim 49, wherein the rules memory and packet memory are internal to the second processor.
  - 61. The method of claim 49, further comprising:
    - transmitting at least a portion of the contents of the packet memory onto the network.
  - 62. The method of claim 61, wherein the transmitting further comprises transmitting in response to an instruction received from the second processor, the instruction being generated by the second processor based on the execution of the at least one operation.
  - 63. The method of claim 61, further comprising modifying the contents of the packet memory prior to transmission.
  - 64. The method of claim 61, wherein the transmitting further comprises transmitting to a destination different than the intended destination of the captured packet.
  - 65. The method of claim 61, wherein the transmitting further comprises transmitting to the intended destination of the captured packet.
  - 66. The method of claim 49, wherein each of the first and second plurality of rules is programmable.
  - 67. The method of claim 49, wherein the second rule comprises a function, the result of the function being at least dependent upon a data value associated with the function, the data value being modifiable independent of the function.
  - 68. The method of claim 67, wherein the data value is stored in a memory other than the rules memory, the memory being coupled with the second processor and accessible by the second rule.
  - 69. The method of claim 49, further comprising:
    - allowing access to the first plurality of rules.
  - 70. The method of claim 69, further comprising allowing any of the first plurality of rules to be at least one of modified, replaced, deleted, supplemented or combinations thereof.
  - 71. The method of claim 69, further comprising allowing any of the first plurality of rules to be dynamically modified.
  - 72. The method of claim 49, further comprising:
    - receiving, via an interface coupled with the rules memory, storing the second plurality of rules in the rules memory at the second memory location; and
      
      allowing the pointer address to be changed to specify the second memory location.
  - 73. The method of claim 49, wherein the first and second processors comprise at least one of a microcoded processor, a field programmable gate array, an application specific integrated circuit or combinations thereof.
  - 74. The method of claim 49, wherein the rules memory comprises at least one of a microcode storage, set of logic gates, or combinations thereof, and wherein the second rule comprises at least microcode stored in the microcode storage, a combination of at least a portion of the set of logic gates, or combinations thereof.
  - 75. The method of claim 49, wherein the first processor comprises a classification processor.
  - 76. The method of claim 49, wherein the rules memory comprises a content addressable memory.
  - 77. The method of claim 49, wherein the at least one operation of the second rule comprises at least one of data gathering, decision, action or combinations thereof.
  - 78. The method of claim 49, wherein the at least one operation of the second rule comprises at least one of modify the captured packet, delete the captured packet, release the captured packet, copy the captured packet, substitute for the captured packet, forward the captured packet, forward a copy of the captured packet, store data relating to the captured packet, compare at least a portion of the captured packet, or combinations thereof.
  - 79. The method of claim 49, wherein the at least one operation of the second rule comprises at least one of evaluate a mathematical algorithm, evaluate a Boolean function, determine which of the first or second plurality of rules the second processor is to retrieve next, execute another of the first or second plurality of rules, evaluate past activity, compare data or combinations thereof.
  - 80. The method of claim 49, wherein the first and second plurality of rules comprise a default rule operative to release the captured packet to the network for transmission to the intended destination.
  - 81. The method of claim 49, wherein the first and second plurality of rules further comprise a plurality of rule sets, each of the plurality of rule sets comprising a portion of the plurality of rules.
  - 82. The method of claim 81, wherein the portion of the first and second plurality of rules associated with each rule set comprises a root rule hierarchically linked with the remaining rules of the portion.
  - 83. The method of claim 81, wherein each rule set comprises an application.
  - 84. The method of claim 81, wherein at least two or more rule sets are interlinked.
  - 85. The method of claim 81, wherein each rule set comprises a storage memory operative to store data at least one of generated by, used by or combinations thereof, at least one of the portion of the plurality of rules.
  - 86. The method of claim 85, wherein the data comprises data representative of state.
  - 87. The method of claim 85, wherein the storage memory is accessible only by the associated rule set.
  - 88. The method of claim 81, wherein the second processor is further operative to execute the at least one operation of more than one rule of the first and second plurality of rules substantially simultaneously.
  - 89. The method of claim 49, wherein each of the plurality of portions comprises a data layer.
  - 90. The method of claim 49, wherein the intended destination comprises at least one of a physical destination, a logical destination, or combinations thereof.
  - 91. The method of claim 49, wherein the executing of the at least one operation of the second rule further comprises generating a result, retrieving a third rule of the first or second plurality of rules from the rules memory and executing the at least one operation of the third rule based on the result.
  - 92. The method of claim 49, further comprising:
    - storing a result of the at least one operation of the second rule in a storage memory; and
      
      allowing the stored result to be at least one of read, modified or combinations thereof via an interface.
  - 93. The method of claim 49, wherein each of the plurality of packets is further characterized by at least one parameter not directly specified by any of the plurality of portions, the apparatus further comprising:
    - transmitting at least a portion of the contents of the packet memory onto the network based on the at least one parameter.
  - 94. The method of claim 49, wherein each of the plurality of packets is further characterized by at least one parameter not directly specified by any of the plurality of portions, and further wherein at least one of the first or second plurality of rules further defines at least one operation to be performed based on at least one of the at least one parameter.
  - 95. The method of claim 94, wherein the at least one parameter comprises a time stamp.
  - 96. The method of claim 94, wherein the at least one parameter is derived from the packet.

97. An apparatus for processing a plurality of packets, each of the plurality of packets being communicated via a network from a source to a destination intended by the source, each of the plurality of packets comprising a plurality of portions, the method comprising:
- means for storing a first plurality of rules in a rules memory means, wherein the first plurality of rules comprises a first root rule stored in a first memory location in the rules memory means and further wherein each of the remaining of the first plurality of rules is hierarchically linked with the first root rule and defines at least one operation to be performed, the first root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the first plurality of rules is to be subsequently executed, the rules memory means being further capable of storing a second plurality of rules, wherein the second plurality of rules comprises a second root rule stored in a second memory location in the rules memory means and further wherein each of the remaining of the second plurality of rules is hierarchically linked with the second root rule and defines at least one operation to be performed, the second root rule operative to define which of the plurality of packets are to be captured for subsequent processing and which of the remaining of the second plurality of rules is to be subsequently executed;
  
  means for storing a pointer address in a pointer memory location coupled with a first processor means, the first processor means being further coupled with the rules memory means and the network, the pointer address specifying the first memory location and being further capable of being changed to specify the second memory location;
  
  means for retrieving, by the first processor means, one of the first or second root rules by accessing the pointer memory location to obtain the pointer address and retrieving the first or second root rule based thereon and executing the first or second root rule to examine at least a first portion of the plurality of portions of at least one of the plurality of packets and capture the examined packet from the network as defined by the first or second root rule;
  
  means for storing the captured packet in a packet memory means coupled with the first processor means; and
  
  means for selecting, by a second processor means coupled with the first processor means, the packet memory means and the rules memory means, a second rule of the first or second plurality of rules from the rules memory, the selection being based on at least the first or second root rule, and executing the at least one operation of the second rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookingglass Cyber Solutions, LLC
Original Assignee
Cloudshire Technologies Incorporated
Inventors
Jungck, Peder J.
Primary Examiner(s)
Vu; Thong H

Application Number

US11/189,172
Publication Number

US 20060029104A1
Time in Patent Office

1,471 Days
Field of Search

370/230, 370/466, 370/535, 370/212, 370/503, 370/468, 370/486, 370/412, 709/246, 709/228, 709/226
US Class Current

370/498
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/19   at layers above the network...

H04L 61/4511   using domain name system [DNS]

H04L 63/0263   Rule management

H04L 69/22   Parsing or analysis of headers

System and method for processing packets according to concurrently reconfigurable rules

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

117 Citations

97 Claims

Specification

Use Cases

Quick Links

Others

System and method for processing packets according to concurrently reconfigurable rules

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

97 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others